White Paper Global ITAD

Building a Successful Global IT Asset Disposition Program

Download as PDF

IT equipment today is the lifeline of any business, and while upkeep and proper maintenance is important, it is not easy. From maintenance and upgrades to final disposition, each phase of managing the lifecycle of IT assets within an organization presents its own set of unique challenges.

Similar to IT asset management (ITAM) processes within an organization, the IT asset disposition (ITAD) process has matured in recent years. Companies have begun to understand data security and environmental compliance risks associated with disposition programs that do not follow rigorous processes. This is why over the last few years Sims Lifecycle Services has seen many global RFPs as companies started recognizing their own inconsistent ITAD programs at locations around the world.

Wondering where to start?

It does not always have to be as drastic as tearing up your current IT asset disposition program, and starting over; although that may be necessary in some cases. Start first by assessing your current situation, then understanding where you can improve to ensure your program will be successful.

networked equipment

“ITAD is the last stage [of the ITAM process] and too often becomes an afterthought; a “necessary evil” that carries with it significant risks without a thorough, detailed, end-to-end process that is consistently executed throughout your enterprise.”

Noted Gartner, Inc. in the Gartner Market Guide for IT Asset Disposition, July 26, 2018.

Assessing the Situation

Perhaps you are unsure if your IT asset disposal and electronics recycling program could be vulnerable to security threats. The following checklist will help you understand your program’s current strengths and weaknesses, allowing you to create an action plan for improvement.

Do any of these sound familiar?

If items on the above list apply to your program, you should review, update and add to your IT asset disposition program plan. Use the following chart to determine what areas you want to focus on the most.

Regulatory Environment (1 in the list above)

Companies must adhere to data security and environmental legislation in the macro environment. Globally this regulatory framework is typically by country or region.

Corporate Compliance (2 – 5 in the list above)

ITAD programs should be consistent with a company’s risk management and data security policies.

Operations (6 – 11 in the list above)

Many global companies are restructuring ITAD programs to be centrally managed and consistent at locations worldwide.

Vendor Selection (12 – 13 in the list above)

The breadth and depth of services offered by ITAD and electronics recycling vendors vary dramatically. It is important to select a vendor who has capabilities that best match your requirements.

*A more detailed discussion for each of these four segments follows.

Regulatory Environment

Global Data Privacy Regulations

European Union (EU)

In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR is a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or four percent of global revenue.

United States (U.S.)

In the U.S., there is a patchwork of different legislation for different industries including:

Australia

In February 2018, Australia’s Privacy Amendment Act 2017 became effective, introducing the Notifiable Data Breaches Scheme. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information.

With so many tightened data security requirements, companies are taking steps to develop more structured and formalized ITAD programs that are compliant with industry and privacy legislation and corporate risk management programs.

Global E-Waste Legislation

Legislation governing how e-waste is disposed of is inconsistent regionally and globally. Batteries, toner, ink, mercury bulbs and leaded glass from CRT monitors are common items requiring special handling when recycling electronics.

There have been significant industry issues with e-waste being illegally exported and dumped in developing countries causing human health and environmental issues. With the patchwork of inconsistent legislation, most companies take their own proactive stance in auditing vendors to ensure e-waste disposal is managed responsibly.

Evaluating Regulatory and Corporate Requirements

Regulatory compliance efforts can be further complicated when companies operate in multiple locations and face regulations that vary by country. For global IT asset disposition, questions that typically come up include:

Corporate Compliance

Corporate Management Considerations

Corporate risk management, business continuity and data security policies can all impact your global ITAD program. A data destruction plan for media storage devices is critical when removing IT equipment and electronic assets from your live environment. This should reflect the same risk protection as outlined in your corporate data security policies.

Looking Back

IT asset disposition or “ITAD”, is a relatively new term. Historically, disposing of retired IT equipment was a financial calculation. Considerations focused on what,

There were few additional considerations in most cases.

As data risks became more publicized and data threats more intimidating, companies began dedicating resources to ensure data destruction of information stored on retired IT assets. Companies have a vested interest in protecting confidential corporate information such as trade secrets, sales records, copyright and intellectual property, as well as customer data.

Global companies often face the challenge of consistently managing data destruction processes from country to country at smaller offices with remote employees.

On top of managing inventory, these global companies must also consider changes to data bearing devices over time. For instance, it took several years for all-in-one copiers and printers to be recognized as “data bearing devices” after they were equipped with hard drives to support electronic document storage. As our devices today become “smarter”, regular reassessment of data risks on retired IT assets and equipment will be critical.

After removing data bearing assets from your live environment, it is important to have a plan in place to ensure all data is destroyed.

Operations

Overview of an ITAD Program

Companies are taking a closer look at e-recycling and ITAD vendor’s infrastructure. Having a better understanding of their ITAD and data destruction services will help ensure their corporate interests are protected and are compliant with relevant regulations.

Fragmented ITAD and Computer Recycling Programs

Some large enterprises manage different programs at each company location. It has been common for IT equipment disposal programs and plans to be managed separately but seldom has this task been part of anyone’s job description nor provided in any formalized manner.

Data security was previously not as much of a primary consideration, and many times, there was no documentation of how equipment was disposed of and how data was destroyed. This fragmented opaque situation is no longer acceptable today.

Know What You Have — Operational Challenges for Multi-site Locations

The first obstacle many companies face in trying to manage a global ITAD program is a black hole of information. It can be difficult to assess what assets you have, where they are located and how each location handles removing IT assets from your live environment. You cannot manage what you cannot measure.

Common challenges include:

Vendor Selection

Global Data Privacy Regulations

The ITAD services required at each location will vary by client. In general, services offered by IT asset disposition industry providers are categorized by location, either at the:

Moving IT assets between two locations is also important for full accountability, especially for any data bearing devices. This diagram provides an overview of the structure of a typical ITAD program.

On-site ITAD services (at client location) include:

It is important to know the correct transport service is provided to ensure chain-of-custody is defined, known and consistent with the risk associated with assets to be transported.

Off-site services (at service provider location) includes:

At a high level, there are other vendor qualifications and capabilities to consider. To ensure credibility of the business you should consider the company size, longevity, number of employees, and understand what percent of their business is dedicated to ITAD services.

When it comes to execution, you can ask yourself these questions.

Global ITAD RFP Guide

We have seen many companies ask these types of questions through a Request for Information, prior to issuing a more detailed Request for Proposal (RFP). To get started building your custom RFP, best fit for your needs, check out the template we created to help companies like you.